W3C home > Mailing lists > Public > ietf-http-wg@w3.org > July to September 2011

Re: #78: Relationship between 401, Authorization and WWW-Authenticate

From: Mark Nottingham <mnot@mnot.net>
Date: Tue, 26 Jul 2011 15:43:05 -0400
Cc: HTTP Working Group <ietf-http-wg@w3.org>
Message-Id: <89C362A8-6148-4F9F-BFC4-3A80261271D5@mnot.net>
To: Yutaka OIWA <y.oiwa@aist.go.jp>

On 26/07/2011, at 9:15 AM, Yutaka OIWA wrote:

>> 1) Clarify that WWW-Authenticate can appear on any response, and that when it appears on any other than a 401, it means that the client can optionally present the request again with a credential.
> 
> Just for confirmation:
> I remember we had some discussion about this years ago.
> This change will break SPNEGO (see RFC 4559, Sec. 5)
> and other other authentication schemes which uses
> WWW-Authenticate on 200 as a carrier for authentication
> exchanges, instead of Authentication-Info.
> Is this incompatible change OK?
> (I prefer this direction, though.)

Well, RFC4559 is already broken, because it makes assumptions about the relationship between messages in a connection. 

Regardless, I think we can word it in such a way that Negotiate isn't any more broken; people already know that they need to handle it differently.


> And if this change text intends to introduce opportunity
> for optional authentication to HTTP at this time,
> I think we need more details and restrictions to make it work.
> If the intention is just to clarify header meanings and
> leave the rest for future work, it is OK for me.


I think it's the latter.

Cheers,

--
Mark Nottingham   http://www.mnot.net/
Received on Tuesday, 26 July 2011 19:43:29 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 27 April 2012 06:51:46 GMT